Firefox 143 for Android to introduce DoH
55 comments
·September 17, 2025MrAlex94
sersi
Hey, just wanted to say thanks for your work on Waterfox!
temp0826
> DoOH
How is the latency?
LiamPowell
This doesn't address why this needs to be built in to the browser when Android already does DoH by itself. I assume there's a reason, does anyone know what it is?
alerighi
First not all Android versions do that, and not all vendors implement that. Not everyone is running the latest version and has a Google Pixel. Second passing from the OS is less secure since there are a multitude of actors, Google, the device vendor, eventual VPN app, etc. that could get access to that queries (in fact apps to block ADS such as ADAway if you don't have root use VPN functionality to intercept DNS queries). In the end if you want to be safe better not pass from the OS in the first place.
thyristan
Query statistics is valuable data you can sell. Client DNS queries are in that regard similar to search queries and a default search engine setting, you can sell that to the highest bidder. So browser makers are incentivized to implement their own resolver with its own set of DNS servers instead of just the system ones. Either because they want to sell those statistics themselves. Or because they want to protect their users from the statistics collection of the underlying OS resolver or ISP resolver.
ekr____
Android does same-provider auto-upgrade if it determines that the recursive supports DoH (last I checked, if it's on Google's list). However, this means that unless you configure your own resolver, you're vulnerable to whoever controls the network substituting their own resolver. Firefox uses a set of vetted and pre-specified resolvers ("trusted recursive resolvers"), so is less vulnerable to this form of attack. I say "less vulnerable" because by default it will fall back to the system DNS on failure, but you can configure hard-fail.
You may or may not think this is a better design (I was one of the people responsible for Firefox doing things this way, so I do), but hopefully this explains the difference.
See: https://educatedguesswork.org/posts/dns-security-dox/ for more on the difference.
jansper39
I thought Android only supported DNS over TLS, so at least this opens up options for people.
noirscape
Android privacy tools are leaky (which is bad given it's privacy tooling, you don't want that to leak!) Their VPN tools on OS level are pretty notorious for not properly respecting kill switch settings[0].
That alone makes a native browser implementation a better solution than the OS version.
[0]: https://mullvad.net/en/blog/dns-traffic-can-leak-outside-the... is just one example I found on Google (in this case, using the C function getaddrinfo bypasses the tunnel entirely, which Chrome in particular uses for DNS queries - only android API calls respect the tunnel), but you hear about stuff like this every couple years; in that post they also link to a prior incident where connectivity checks and NTP updates were conveniently not using the VPN even when killswitches are active. Neither of these incidents have been fixed as of the time of writing (and Google explicitly doesn't consider conncheck/NTP calls occuring outside of the VPN tunnel to be a bug.)
izacus
What does your post have to do with DoH though?
seanieb
Privacy.
LiamPowell
Why is DoH in the browser more private than DoH in the OS?
lucideer
Because there are fewer actors to trust.
In the OS you need to trust (1) the OS vendor, (2) the client vendor & (3) any VPN app or HTTP intermediary that's integrated with OS network APIs.
In the client you need only to trust the client vendor.
DetroitThrow
It's all about whether you trust the OS to not track you when doing DoH at that level. In both mobile browser ecosystems, I can see why users of a browser would prefer the independent browser to do the DoH themselves, rather than leave it to the OS.
add-sub-mul-div
It's not Google. My heuristic is that the bigger the tech giant the more sophisticated, indirect, and obfuscated the sharing/selling of data.
ape4
Yeah, Android is Google
woodrowbarlow
does android not allow you to configure a custom DoH resolver? could Mozilla simply offer a public resolver, and encourage users to switch at the OS level (possibly including a first-launch dialog offering to set the configuration for you)?
throw7
Does anyone know how to force disable DoH on a network?
In https://support.mozilla.org/en-US/kb/canary-domain-use-appli... it says that the canary domain does not apply for users who have made the choice to turn on DoH by themselves.
I want to avoid running an sslproxy, and it seems an application level proxy on the firewalls is necessary.
xvdAZh
Outside of IP-blocking known popular DoH hosts (e.g. https://github.com/jameshas/Public-DoH-Lists, and even then it's not the best since there's overlap with popular DNS hosts like Cloudflare), there's no good way to do it without break-and-inspect. That's because DoH is TLS traffic over 443, just with DNS inside instead of HTTP.
nemomarx
What's the good DoH provider nowadays? I feel like cloud flare has some downsides in terms of centralization
grepfru_it
For those wanting a bit of privacy, you can run your own DOH server[0]. Be aware that the upstream requests can still be tracked, but additional safety steps can be taken such as hosting your own dns resolver (bind/powerdns), sending dns/doh queries over a vpn or tor connection, or spanning queries over multiple sources. Each has its own security and privacy implications, which is beyond the scope of this comment :)
mrweasel
Running your own DOH server comes with it's own set of risks, depending on your adversary. If you're the only person using a DOH server, then any requests that server make must belong to you. I'd argue that it's better to use a public server and hide in between the other users.
mrweasel
Wikimedia runs an experimental DoH server, see: https://meta.wikimedia.org/wiki/Wikimedia_DNS
miyuru
For Germany/EU there is ffmuc: https://social.ffmuc.net/@freifunkMUC/114087819103432120
Hopefully we will see more regional DOH providers instead of centralized ones.
jsheard
Mullvad runs a privacy-oriented DoH service, which is free to use regardless of whether you use their VPN service.
traceroute66
Mullvad DoH is great, and things like ad-blocking seems to be more effective on Mullvad.
But, and its a BIG BUT ....
Mullvad don't have the geo-coverage that Quad9 has. They are predominantly Northern Europe with very limited server coverage outside (6x Northern Europe, 2xUSA, 1xSingapore)
Which is fine if you spend most of your time in those three places.
But if you are a road-warrior or you live elsewhere, then Quad9 is the better choice as they have global coverage (200 locations, 90 countries).
Avoid Cloudflare. They log traffic. Sure for a short-time period ($n days) but Quad9 still has the better privacy policy.
Quad9 is also Swiss, not US, so they can't be compelled to do anything under PATRIOT or whatever.
hocuspocus
NextDNS is great
qiine
I like quad9
afh1
>DNS query [...] in the clear. [...] (DoH) plugs this privacy leak [...] no one on the network, not your internet service provider [...] can eavesdrop on your browsing
Whoever could see DNS traffic can still see the target you're connecting to...
bscphil
The promise is especially dangerous when a huge fraction of traffic doesn't use Encrypted Client Hello, [1] so the domain name is sent in the clear with the initial request to the server.
A while back I wrote a quick proof-of-concept that parses packet data from sniffglue [2] and ran it on my very low powered router to log all source IP address + hostname headers. It didn't even use a measurable amount of CPU, and I didn't bother to implement it efficiently, either.
I think it's safe to assume that anyone in a position to MITM you, including your ISP, could easily be logging this traffic if they want to.
[1] https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
kyrra
But if that request is going to a large provider (GCP, AWS, CloudFlare), without the hostname, the request is going to be close to meaningless for the snoop.
mentalgear
I wonder why DOH is in the intro described as getting activated by region. Is DoH now active globally for every region, on any (desktop) platform (Mac/Windows) ?
Aldipower
DoH centralizes DNS traffic at a few DoH resolvers. Bad thing.
ekr____
Actually, DoH doesn't change the situation here one way or the other, it's just a transport. It's true, that Firefox's approach to DoH ("trusted recursive resolver") does. centralize traffic some, but DoH need not be deployed this way. For example, Chrome does what's called same provider auto upgrade, which doesn't change the resolver, but just tries to use DoH if available.
mikepo
One approach to mitigate this is to spread the queries to multiple DoH providers: https://www3.cs.stonybrook.edu/~mikepo/papers/k-resolver.mad...
ChrisArchitect
Update title to include "DNS-over-HTTPS"
revanwjy
[dead]
neworder56
[flagged]
kattagarian
> If you don't like people seeing your history on the web, maybe think twice about what you do. Maybe you are the problem.
Thanks for your input, google.
neworder56
Sorry this is Microsoft, I get the confusion.
nemomarx
"if you have nothing to hide" sure sure. show us your history please
63stack
Please post your browsing history from your past 14 days to back up your insane hot take.
idiotsecant
Tiresome 0 minute old troll. Disregard.
DetroitThrow
Kind of wish brand new accounts would get auto-banned if they get comments flagged within a certain timeframe of their creation.
neworder56
I wished if you made a new account on a platform, you wouldn't automatically be considered a 'troll' if you go against the mainstream narrative.
Very welcoming to new comers.
dbcooper
Firefox for Android is some of the worst software I've ever used. A lot of extensions won't work in it, and even Edge Canary is far better with them. It is extremely slow, and the UI is horrible.
I'm running it on a device with a Qualcomm SM8635 Snapdragon 8s Gen 3 chipset, and it just crawls. The UI is very unresponsive, and page load times are terrible. It also has to reload the page if it was running in the background and you switch back to it.
MaKey
I don't have any issues with it. NoScript and uBlock Origin are working fine for me.
veyh
That's pretty harsh. It works fine for me. But even if it didn't, I'd still use it just for uBlock Origin.
dbcooper
I'm running it on a device with a Qualcomm SM8635 Snapdragon 8s Gen 3 chipset, and it just crawls. The UI is very unresponsive, and page load times are terrible.
For youtube background play Brave is much better.
Not sure why it took so long for Mozilla to expose the setting on Android, it's been a 'secret' setting for a long time. In fact, sometimes they let features ride the rails for a little bit too long IMO.
For Waterfox for Android I exposed the setting by default and also added an addition DNS over Oblivious HTTP setting (DoOH) which uses Fastly as the relay (they host and control it, for privacy sanitisation) and Cloudflare as the resolver.